[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: CVE for hosted services
On 2017-02-23 19:05, jericho wrote:
> https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
>
> Harold, how would you write a CVE-ish description of this, in the
> context
> of moving CVE to site-specific issues? The service and info disclosed
> is
> the easy part. Then what? Do you also mention some of the services
> that
> use Cloudflare? Some businesses may know, where individuals do not
> (e.g.
> 1Password is hosted on it). What date range do you put down for this?
> You
> know the fix date, but not the start date. This goes back to the
> problem
> of making such entries useful to companies trying to determine risk.
Not answering your question, but:
This issue should get a CVE ID so the world can talk about it and have
confidence they're talking about the same "it." The description might
be tricky, but the description is primarily to catalog/de-duplicate, not
to help assess risk.
CVE is lower layer of infrastructure. Someone else (NVD, CVSS, RBS,
CERT, a CloudFlare customer) can add to the severity/risk assessment.
- Art